Cloud IAM permissions for XML requests

The following table lists the Cloud Identity and Access Management (Cloud IAM) permissions required to run each Cloud Storage XML method on a given resource.

Method Resource Subresource Required Cloud IAM Permissions1
DELETE bucket storage.buckets.delete
DELETE object storage.objects.delete
GET storage.buckets.list
GET bucket storage.objects.list
GET bucket acls storage.buckets.get
GET bucket Non-ACL metadata storage.buckets.get
GET object storage.objects.get
GET object acls storage.objects.get
HEAD bucket storage.buckets.get
HEAD object storage.objects.get
POST object storage.objects.create
PUT bucket storage.buckets.create
PUT bucket acls storage.buckets.get
PUT bucket Non-ACL metadata storage.buckets.update
PUT object storage.objects.create2
PUT object compose storage.objects.create for the destination bucket
storage.objects.get for the source bucket
PUT object acls storage.objects.get

1 If you use the x-goog-user-project header or userProject query string parameter in your request, you must have permission for the project ID that you specify, in addition to the normal Cloud IAM permissions required to make the request.

2 If the x-goog-copy-source header is present, the requester also requires storage.objects.get permission on the bucket from which the object is copied.

3 This permission does not apply to buckets with Bucket Policy Only enabled.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Storage
Need help? Visit our support page.